Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking tools?

From: mike () NetworX ie (Michael Ryan)
Date: Thu, 15 Aug 1996 23:08:15 BST

On Wed, 14 Aug 1996 23:56:41 -0400 David Miller wrote:


I've got a tcpdump of the network while a hacker broke into a machine. I
created it on a FreeBSD system with tcpdump -w .... (filters omitted).

I can read the file back just fine with a tcpdump -r, and dump the raw
data with a -x, but that's less than real useful.

Can anyone point out some tools I might apply to this dump file in order
to track the session which actually hacked root?  I'd most like to see
one of the monitoring programs which can be fed from the dump file, but
I'd be happy with something which would give me an ascii dump of the
data portions of selected packets.


I wrote a utility a few months ago called "tcpshow".  It provides pretty
much a complete decode of the headers and an ASCII decode of the data, in
packets collected by tcpdump.  It should prove quite useful to you in
analysing your data.  It doesn't decode application layer protocols, but
that's okay most of the time, because the apps transmit (mostly) ASCII.

I've currently got it stored at
http://www.cs.berkeley.edu/~daw/mike/tcpshow.c
The manpage is at
http://www.cs.berkeley.edu/~daw/mike/tcpshow.1

Check it out and I hope it's useful to you.  I find it invaluable.


Mike
<mike () NetworX ie>
---
Previous By Date Next
Previous By Thread Next

Current thread: